Read of memory location 0x7ffe0000 in windows NT
Laurent Pinchart
laurent.pinchart at skynet.be
Mon Apr 1 16:11:09 CST 2002
Hi everybody,
I've stumbled accross some code which reads a dword at memory location
0x7ffe000, which causes the program to crash and the wine debugger to start.
After some investigation, it seems that reading the memory location
0x7ffe0000 should return KeTickCount.LowPart to the user process. Has anyone
ever heard about that ? I was wondering if it was a native windows NT
behaviour, or if it was done by a special kernel-space exception handler
installed by the program.
The assembly code which does the trick is
pusha
mov $0x7ffe0000,%edx
mov (%edx),%eax
mov %eax,0xfffffffc(%ebp)
popa
mov 0xfffffffc(%ebp),%eax
Any idea anyone ?
Thanks for your help.
Laurent Pinchart
More information about the wine-devel
mailing list